Crowdsourced Security is out of Control in the Ukraine Conflict

Alex Haynes
CISO   Cheshire Datasystems Ltd.

The Russian invasion of the Ukraine was bound to have a part of the conflict rooted in cyberspace.  While the alleged use of Russian offensive security operations against the West has long been a known quantity, the rise of crowdsourced security in the current war has taken an interesting turn.

First of all, there were the accusations of Russia utilizing the Premise microtask platform to identify everything from bomb craters to targets of opportunity.  This was backed-up by Ukrainian military forces in their Facebook post which eventually led to a very curt rebuttal from the CEO of Premise denying the claims, and then subsequently, simply turning Premise off in the Ukraine.

On the Ukrainian side of the conflict, there was the declaration by Anonymous who launched #OperationRussia to target government assets owned and operated by the Russian Government, Chechnya and even Belarus. While Anonymous is a wildcard when it comes to targeting, their Twitter feed was quite active with potential targets, and any visit to the Kremlin websites, or any Russian .mil website for that matter was met with blank page and nice error code. This even extended to the MOEX Russian stock exchange, which was serving a ‘I’m a teapot’ HTTP 418 error for the first week of the conflict.  At the time of writing, it looks like the site is attempting to DNS sinkhole the DDoS, but it is still down.

Then we get even more specific and end up on the spectrum of official bug bounty platforms. Hacken.io was launched in 2017 and is based in Kyiv in the Ukraine. They specialize in bug bounties and vulnerability disclosure programs around Blockchain products. It resembles any other bug bounty platform used by the generic crowdsecurity platforms of today (think Bugcrowd, Hackerone, etc.)

Today, Hacken.io launched ‘Cyber Army’ via email to all security researchers currently signed up to their platform as a means to get involved directly in the conflict by discovering vulnerabilities in Russian websites to be leveraged by Ukrainian military assets.

The email states:

Now it’s high time for you to use your technical skills and knowledge for global peace and security. We’ve created Cyber Army to stop Russian propaganda machines and contribute to disseminating real information about the Russian invasion of Ukraine among Russian citizens. Everyone can join us to help Ukraine win the cyberwar against Russia.”

The telegram site that it leads already boasts around 700 users and is climbing rapidly. Hacken.io elaborates further on this very esoteric bug bounty program on their website, which simply states:

  • Select a Russian propaganda or infrastructure website
  • Find critical vulnerabilities
  • Submit a report
  • That’s it! We’ll put it in the good hands of Ukrainian cyber forces.

They also go on to elaborate how they’re mainly looking for serious stuff like RCE, SQLi and RFI/LFI and will ignore low/medium vulnerabilities. This is not the time to pester them with that cross-site scripting vulnerability you found.

Then a suggested target list is rattled off and includes predictable targets you would expect in this kind of scenario, such as Hosting providers, Aerospace, Energy and pretty much any infrastructure that would disrupt the Russian war machine.

What makes this quite exotic is that it’s like the ‘Hack the Pentagon’ program but in reverse. Having previously participated in this program, the main differences are of course, that this is a nation-state openly inviting you to find vulnerabilities in assets they don’t control and for nefarious purposes, with a vaguely defined scope. The Hack the Pentagon program had quite a strong vetting process and the scope was quite specific.

Because of the loosely defined scope and highly charged geo-political tension, this is where things can start to go awry if you’re unleashing crowds of zealous security researchers on targets that supposedly impact one side or the other, but in reality they may have nothing to do with it and therefore, become an innocent bystander.

All it would take today is a single tweet defining a company, an individual or an asset that’s in league with the Russian invasion and therefore, would feel the wrath of the masses online, without any gatekeeper there to validate the intelligence in the first place.

While companies around the world are evaluating their exposure to this conflict and trying to shore up their defenses against Russian retaliation from the sanctions imposed, it is increasingly likely that we will see companies caught up in the tidal wave of outrage and become victims to ‘the crowd’ when they are named and shamed, and their online assets attacked because of vague association to one side or the other.


Alex Haynes

Tags: , , , , ,